OpenSSH-Client without reverse tunnel ability

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Good day!

A few weeks ago, we had a security breach in the company I'm working
for, because employees used "ssh -R" to expose systems from our internal
network to some SSH server in the outer world.

Of course, this is a breach of our internal security policy, but lead us
to wonder, whether there is a technical solution to prevent our users
from creating SSH-reverse-tunnels.

After a lot of googleing, there seems to be no option for the
system-wide client config that would do the trick nor any other suitable
solution. (Watching ps is not sufficient, as the users can also specify
reverse tunnels in their client config or create them from an already
existing connection.)

Is it possible to achieve this without nasty workarounds like wrapper
scripts monitoring the very-verbose output of SSH or doing DPI?
Alternatively, would it be possible to add a config option, allowing an
administrator to disable reverse port forwarding or limit it's destinations?


Thank you in advance,

Jan Bergner
-- 
________________________________________
*Jan Bergner, M.Sc. *
Software Engineer
 
*indurad GmbH*
*The Industrial Radar Company*
 
Belvedereallee 5
52070 Aachen, Germany
Office: + 49 241 538070-61
Front Desk: + 49 241 538070-0
Fax: + 49 241 538070-99

jan.bergner@xxxxxxxxxxx
www.indurad.com <http://www.indurad.com/>
_______________________________________


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux